Hacker & Security Analyst at HackerOne

Neglected DNS records exploited to takeover subdomains

février 20, 2015Yassine ABOUKIR8 Comments

In this write up I will be talking about a security issue identified in Redbooth platform which « is a communication and collaboration platform that provides a single place for shared tasks, discussions, file sharing, and more. » – Read more at: https://www.crunchbase.com/organization/redbooth

As you read in the title, exploiting the issue allowed me to takedown two of their subdomains. So what is this about ? Well, when I was checking out the website’s DNS records I noticed that there is a CNAME that points the subdomain blog.redbooth.com to teambox-redirect-to-new-blog.herokuapp.com but I when I verified the blog subdomain I discovered that it is not correctly set up yet because they still had not registered the username : teambox-redirect-to-new-blog as their heroku-app yet. See the below photo :

Herokuapp : no such app

Figure 1 : No such app

So my next step after is to sign up for the service and claim the domain as mine in Heroku.com besides that Herokuapp do not perform any kind of verification if you are the legitimate owner of the domain.

Herkuapp custom domain setup

Herkuapp custom domain setup

So now that the DNS records are already set and the subdomain is linked to the herokuapp, all I needed to elaborate a full Proof Of Concept is to upload a test web page as you can see below :

redbooth subdomain takendown

redbooth subdomain takendown

Following the same steps I was also able to takedown another subdomain : http://support.redbooth.com/ exploiting the fact that developers have neglected the DNS records.

Support subdomain takendown

Support subdomain takendown

I just want to point that this vulnerability is not a code bug but a result of neglect. The company could have been using the service and after a while stopped doing so but they forgot to remove CNAME from their DNS records which, by the way, are publicly visible. The vulnerability could be exploited in many ways inluding, for instance :

– Create fake login page similar the original one.
– Redirect users to malicious web pages.
– Inject malicious codes designed to steal cookies for example.
– Deface the webpage and destroy company’s credibility.
– etc.

The security issues were forwarded to their engineering team on 02/09/2015 and got fixed by 02/11/2015. Despite that their response was not much appreciated I have got a small token of thanks but overall I am glad to have contributed in the security of their web service.

If you want to further read about this attack vector then I recommand you to check out this great article : http://labs.detectify.com/post/109964122636/hostile-subdomain-takeover-using

Thank you for reading!

This article has 8 comments
  1. Sam
    26 mars 2015

    Nice n clear post 🙂

  2. AndalasWuik
    28 avril 2015

    I really love to see your blog, fortunate for me to found this informative content. This text provide enough description to us, keep it up.

  3. Payoneer
    5 mai 2015

    Amazing! Its actually amazing article, I have got much clear idea on the topic of from this piece of writing.|

  4. quest bars
    12 mai 2015

    Hello I am so grateful I found your webpage, I
    really found you by accident, while I was looking on Bing for something
    else, Anyways I am here now and would just like to say many thanks for
    a remarkable post and a all round enjoyable blog (I also love the theme/design), I don’t have time to
    read through it all at the moment but I have saved it and also included your RSS feeds, so when I have time I will be back to read a lot more, Please do keep up the awesome jo.

  5. minecraft.net
    12 mai 2015

    Greetings! Very useful advice in this particular
    article! It’s the little changes that will make the largest changes.

    Thanks for sharing!

  6. quest bars
    26 août 2015

    Very good information. Lucky me I ran across your website by chance (stumbleupon).
    I’ve saved as a favorite for later!

  7. quest bars
    28 août 2015

    I take pleasure in, lead to I found exactly what I was
    having a look for. You have ended my four day long hunt!
    God Bless you man. Have a great day. Bye

  8. Gopinath
    10 février 2018

    Whether below heroku error subdomain can be taken over? Not able to add subdomain in heroku
    Getting following error: Domain « beta-api.***.com » could not be created:beta-api.***.com is currently in use by another app. »
    Any help would be appreciated.

    Is still heroku subdomain take over possible?

Leave a Reply

Prove you are not a Bot * Le temps imparti est dépassé. Merci de saisir de nouveau le CAPTCHA.